A strong password policy is one of the most important aspects of your security posture. Many successful security breaches involve simple brute force and dictionary attacks against weak passwords. If you intend to offer any form of remote access involving your local password system, make sure you adequately address minimum password complexity requirements, maximum password lifetimes, and frequent audits of your authentication systems.

Setting Password Length:
By default, Ubuntu requires a minimum password length of 4 characters, these values are controlled in the file /etc/pam.d/common-password, which is outlined below, look for the line having "pam_unix.so" mentioned ...